From: Paul Sladen (vserver_at_paul.sladen.org)
Date: Sun 01 Dec 2002 - 21:13:35 GMT
On Sun, 1 Dec 2002, Sascha Silbe wrote:
> asmlinkage int sys_set_ipv4root (__u32 ip[], int nbip, __u32 bcast)
> [...]
> }else if (ip_info == NULL
> || ip_info->ipv4[0] == 0
> || capable(CAP_NET_ADMIN)){ <<------------------
> // We are allowed to change everything
> So the docu says no capability enables one to break out of ipv4root,
`CAP_NET_ADMIN' allows you to reset the iproot to `0.0.0.0' (unrestricted).
The only person likely to have this is real-root in ctx-0 (host server).
Otherwise, you may only select a subset of those IPs that you currently have
access to--just like `chroot()' does for filesystems. Admittedly there is a
`CAP_SYS_CHROOT' to [dis]able `chroot()' but I can't personally see why
there is reason for restricting a call that allows people to demote
themselves.
-Paul
PS. Any reason for the duplicate messages?
-- Nottingham, GB